Exploit And Vulnerability Intelligence

Exploit Intelligence

Leverage best-in-class exploit intelligence from VulnCheck to understand the state of vulnerability exploitation for a given vulnerability.

VulnCheck Exploit & Vulnerability Intelligence replaces the need to have separate scripts for downloading the NIST National Vulnerability Database (NVD), the CISA KEV catalog, etc. By integrating with VulnCheck Exploit & Vulnerability Intelligence, you're integrating with an Open Source Intelligence (OSINT) product that has best-in-class information, in a timely manner, on vulnerability exploitation and vulnerabilities generally.

Most importantly, unlike other purely vulnerability-centric solutions, VulnCheck marries exploit intelligence with vulnerability intelligence. By coupling exploit intelligence with vulnerability intelligence, better insights into vulnerability prioritization & remediation can be gained.

On the exploitation side, VulnCheck Exploit & Vulnerability Intelligence include a wide range of features designed to help understand the state of vulnerability exploitation. Such features include, but are not limited to:

  • Monitoring of Git repositories, blog posts and other sources for new exploit PoCs
  • Review and validation of exploit PoCs
  • Caching of exploit PoCs
  • Exploit Maturity classification
  • Exploit Type classification
  • Evidence of exploitation in-the-wild
  • Exploit/Exploitation timelines
  • Ransomware families, threat actor, botnet, and exploit counts

Exploit Maturity

Max Exploit MaturityMeaning
WeaponizedWeaponized refers to an exploit that is explicitly malicious, such as cases where the exploit is contained within malware (e.g., a malicious Microsoft Word document), has been reported as exploited in the wild, or facilitates "point & click" exploitation (e.g., works against all or most targets and works reliably, such as exploits in MetaSploit, VulnCheck Initial Access Intelligence, CANVAS, or Core Impact). Additionally, weaponized exploits typically have secondary payloads, droppers, or implants.
POC"POC" (proof of concept), is currently anything that can be used to demonstrate exploitation. This can be a blog post, a curl request, a python script, etc.

Exploit Type Classification

VulnCheck Exploit & Vulnerability Intelligence maintains a Exploit Type field in the block of exploits that are indexed. The Exploit Type field helps distinguish between high impact exploits, like initial access exploits, and lower impact exploits, like denial of service exploits.

Exploit Type Definitions

Exploit TypeMeaning
Initial AccessInitial Access exploits are typically the most high impact exploit published. These vulnerabilities, also sometimes referred to as Remote Code Execution (RCE) vulnerabilities, are remote in nature, and typically do not require credentials to exploit.
Remote with credentialsRemote with credentials exploits are exploits that are remote, typically targeting network-bound applications, but require credentials to exploit.
LocalExamples of local exploits include those targeting setuid binaries on Linux.
Client-sideExamples of client-side exploits include those targeting client applications, such as Microsoft Word or Excel.
InfoleakInfoleak exploits leak data from a target, without compromising the integrity of such a target.
Denial of ServiceDenial of Service exploits typically cause a service or application to crash. Note: Often a denial-of-service exploit targets an initial-access vulnerability, prior to an initial-access exploit being posted.

The above table shows the currently available Exploit Types in VulnCheck Exploit & Vulnerability Intelligence.

Example Exploit Record

The VulnCheck API makes it easy to get started with VulnCheck Exploit & Vulnerability Intelligence. To start, simply query the exploits index via the /v3/index/:index?cve=:cve API as follows:

curl --request GET \
    --url https://api.vulncheck.com/v3/index/exploits?cve=CVE-2019-3396 \
    --header 'Accept: application/json' \
    --header 'Authorization: Bearer insert_token_here'

The above example searches the exploits index for information on CVE-2019-3396.

Example API Response for Exploits by CVE

After calling the /v3/index/exploits?cve=:cve API endpoint with a valid CVE identifier, a response similar to the below will be returned:

{
  "_benchmark": 0.055187,
  "_meta": {
    "index": "exploits",
    // ...
  },
  "data": [
    {
      "id": "CVE-2019-3396",
      "public_exploit_found": true,
      "commercial_exploit_found": true,
      "weaponized_exploit_found": true,
      "max_exploit_maturity": "weaponized",
      "reported_exploited": true,
      "reported_exploited_by_threat_actors": true,
      "reported_exploited_by_ransomware": true,
      "reported_exploited_by_botnets": true,
      "inKEV": true,
      "timeline": {
        "nvd_published": "2019-03-25T19:29:00Z",
        "nvd_last_modified": "2021-12-13T16:05:00Z",
        "first_exploit_published": "2019-03-25T00:00:00Z",
        "first_exploit_published_weaponized_or_higher": "2019-04-11T00:00:00Z",
        "most_recent_exploit_published": "2021-05-01T02:10:04Z",
        "first_reported_threat_actor": "2019-08-19T00:00:00Z",
        "most_recent_reported_threat_actor": "2021-01-01T00:00:00Z",
        "first_reported_ransomware": "2019-04-23T00:00:00Z",
        "most_recent_reported_ransomware": "2022-06-22T00:00:00Z",
        "first_reported_botnet": "2019-04-26T00:00:00Z",
        "most_recent_reported_botnet": "2022-04-27T00:00:00Z",
        "cisa_kev_date_added": "2021-11-03T00:00:00Z",
        "cisa_kev_date_due": "2022-05-03T00:00:00Z"
      },
      "trending": {
        "github": false
      },
      "epss": {
        "epss_score": 0.97498,
        "epss_percentile": 0.9996,
        "last_modified": "2023-08-15T13:49:54.769353Z"
      },
      "counts": {
        "exploits": 22,
        "threat_actors": 3,
        "botnets": 3,
        "ransomware_families": 4
      },
      "exploits": [
        {
          "url": "https://packetstormsecurity.com/files/161065/Atlassian-Confluence-6.12.1-Template-Injection.html",
          "name": "Atlassian Confluence 6.12.1 Template Injection",
          "refsource": "packetstorm",
          "date_added": "2021-01-22T00:00:00Z",
          "exploit_maturity": "poc",
          "exploit_availability": "publicly-available"
        },
        {
          "url": "https://packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html",
          "name": "Atlassian Confluence Widget Connector Macro Velocity Template Injection",
          "refsource": "packetstorm",
          "date_added": "2019-04-18T00:00:00Z",
          "exploit_maturity": "poc",
          "exploit_availability": "publicly-available"
        }
        // ...
      ],
      "reported_exploitation": [
        {
          "url": "https://cisa.gov/news-events/cybersecurity-advisories/aa21-209a",
          "name": "Top Routinely Exploited Vulnerabilities",
          "refsource": "cisa-alerts",
          "date_added": "2021-08-20T00:00:00Z"
        },
        {
          "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-275a",
          "name": "Potential for China Cyber Response to Heightened U.S.–China Tensions",
          "refsource": "cisa-alerts",
          "date_added": "2020-10-20T00:00:00Z"
        }
        // ...
      ]
    }
  ]
}

The above example response shows what the exploits index returns for CVE-2019-3396.

Introduction

The VulnCheck Exploit & Vulnerability Intelligence product helps organizations enrich their existing vulnerability reporting and solve the vulnerability prioritization challenge.

Vulnerability Intelligence

Leverage the vulnerability intelligence features within VulnCheck Exploit & Vulnerability Intelligence to get the industry's fastest and most comprehensive vulnerability intelligence available and solve the vulnerability prioritization challenge today.